BSIMM3 lives

[Gary McGraw <gem () cigital com>]

hi sc-l,

BSIMM3 was just posted.  You can download it from http://bsimm.com

Since the first BSIMM interview in October 2008, we’ve progressed from 9 to 30 to 42 firms (and more, at this point). 
We’ve also measured 11 firms twice—with about 19 months between measurements on average—providing the software security 
community with unique insight on how software security initiatives change over time. Assessing 42 individual firms and 
performing 11 re-assessments required 81 sets of in-depth interviews in just a shade less than three years.

Some highlights for the third major release of the BSIMM:

 *   BSIMM3 now includes 42 firms
 *   BSIMM3 describes 109 activities in 12 practices with 2 or more real examples for each activity (all completely 
revised since BSIMM2)
 *   11 firms have been measured twice (giving us Longitudinal Study data) and the data show measurable improvement
 *   The BSIMM3 data set has 81 distinct measurements (some firms measured twice, some firms have multiple divisions 
measured separately)
 *   BSIMM3 describes the work of 786 SSG members working with a satellite of 1750 people to secure the software 
developed by 185,316 developers
 *   BSIMM3 is available for free on the BSIMM website http://bsimm.com<http://bsimm.com/>

The BSIMM remains the only measuring stick for software security initiatives based on science.  It is extremely useful 
for comparing the initiative of any given firm to a large group of similar firms.  The BSIMM has been used by multiple 
firms to strategize and plan their software security initiatives and measure the results.

We're proud of this work and the data we have gathered.  Please let us know what you think.

gem, brian, and sammy

P.S.
p.s.  Here are the companies and software security executives participating in this work.  Thanks to each  and every 
one of you!
Adobe (Brad Arkin), Aon (Trey Keifer), Bank of America (Jim Apple), Capital One (Bryan Orme), DTCC, EMC (Eric Baize), 
Fannie Mae (Ted Jestin), Google (Eric Grosse), Intel (Jeff Cohen), Intuit (Shaun Gordon), McKesson (Mike Wilson), 
Microsoft (Steve Lipner), Nokia (Antti Vähä-Sipilä and Janne Uusilehto), QUALCOMM (Alex Gantman), Sallie Mae (Jerry 
Archer), SAP (Gunter Bitz), Scripps Networks Interactive (Greg Allender), Sony Ericson (Per-Olof Persson), Standard 
Life (Mungo Carstairs and Alan Stevens), SWIFT (Peter De Gersem and Alain Desausoi), Symantec (Cassio Goldschmidt), 
Telecom Italia (Marco Bavazzano), Thomson Reuters (Tom Lawton and Andrew Rowson), Visa (Gary Warzala), VMware (Kris 
Inglis), Wells Fargo (Eric Kurnie), and Zynga (Chris Peterson).   Some companies have chosen to participate anonymously.

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________